Keep track of weird logins with Howler

June 05, 2017 by Konstantin Ryabitsev

Howler is a small utility I wrote to be notified when my users were
logging in from unusual locations. I wanted to know if someone who
normally logs in from Canada was suddenly logging in from Korea -- and
especially if they were suddenly rapidly hopping between two different
locations. It's a red flag when someone logs in from Seattle, then from
Barcelona, then from Seattle again, all within the same 4 hours, because
it's a good indicator that their credentials got stolen (though usually
it's because they are using Tor or their corporate VPN).

At either rate, Howler will keep a watchful eye on where your users are
coming from and alert you if they change locations:

It's best used on your central syslog aggregator with the help of SEC,
which is a handy tool used to poll your logs and trigger actions based
on matching regexes. I provide a few sample sec rules for sshd,
openvpn, and gitolite.